Data Protection policy

Data Protection policy

First version: 2021-05-13
Last updated: 2023-10-25
Last change(s): Added links to GDPR compliance assessment, Data Handling policy, GDPR Article 5; Modified contact information; Substituted Azure DRE for myDRE; Formatting. 
Approval: 2023-10-26
Classification: Low

Purpose

anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of all stakeholders. For the use of myDRE, anDREa has performed a GDPR Compliance Assessment. This displays what evidence myDRE can provide and what the user should provide to be GDPR-compliant.

The purpose of this document is to describe anDREa’s Data Protection policy. It is to be read combined with the Data Handling policy.

This document will be updated at least annually and when significant change happens to the relevant areas covered.

Definitions


Scope & governance

The following only applies to myDRE user information and might be restricted due to our duty to provide demonstrable evidence through logging.

In the services anDREa offers:

Type of data
anDREa
Tenant/Accountable
User Account data
Processor**
n/a
Data in Workspaces
Processor
Controller
**Because anDREa operates on instruction of its Tenants, including but not limited to, collecting and storing user actions, anDREa is also Processor for user related data.

The Six GDPR Principles

anDREa is fully committed to Article 5 of the GDPR and thus with respect to personal data, anDREa will ensure data is:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”

For a more detailed self assessment, please visit our GDPR compliance assessment.

Data subject rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
  1. The right to be informed – You have the right to request copies of your personal data. We may charge you a small fee for this service.
  2. The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.
  3. The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
  4. The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
  5. The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
  6. The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
  7. The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  8. Rights related to automated decision making including profiling – You are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
The above only applies to:
myDRE user information and might be restricted due to our duty to provide demonstrable evidence through logging.

The above does not apply to:
Data processed within a Workspace:
  1.      Falls under the responsibility of the Tenant or Accountable of the particular workspace.


Contact information

Contact anDREa for requests regarding the above:
  1. Goto https://support.mydre.org/portal/en/myarea
    1. If needed, please create an account first
  2. Click Add ticket
  3. Click anDREa Organization
  4. Fill in the details and submit the ticket.
Though data within Workspaces are not our responsibility, feel free to contact us so that we can get you in touch with the controller of that data.

    • Related Articles

    • Data Protection Impact Assessment (DPIA)

      First version: 2021-05-13 Last updated: 2024-03-07 Last change: Added link to NEN-7510 article. Introduction anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). The template ...

    • Privacy Policy

      Introduction anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders. The purpose of this document is to describe anDREa’s Data Handling Policy. The rules for acceptable use must take into consideration ...

    • Data Breach Procedure

      First version: 2021-04-15 Last updated: 2023-10-19 Last change: Link to Data Protection policy Introduction Every care is taken by anDREa to protect personal data from situations where a data protection breach could compromise security. This policy ...

    • Data Handling policy

      First version: 2021-05-13 Last updated: 2023-10-19 Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement. Introduction anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of ...

    • EU Data Protection Code of Conduct for Microsoft Azure

      Trust in cloud computing is essential (copied from euroc.cloud) It has never been more true than today to assert that without user trust, technology will not be able to advance to reach its full potential. At the core of building trust is robust data ...